AuraInspector: An Open-Source Tool for Auditing Salesforce Aura Misconfigurations

Mandiant has released AuraInspector, a new open-source command-line tool that helps security teams and administrators identify access control misconfigurations in Salesforce Experience Cloud environments built on the Salesforce Aura framework.

The tool focuses on finding exposed data paths that could allow unauthorized users to access sensitive records, such as financial, identity, or health information, from an external perspective.

Salesforce Aura is the framework behind Salesforce’s Lightning Experience UI and Experience Cloud sites. It relies on an Aura endpoint that the front end uses to call backend controllers and retrieve object records.

Because Salesforce sharing rules and object permissions can be configured at several layers, administrators often struggle to spot subtle misconfigurations.

As a result, the Aura endpoint is a frequent target for attackers who attempt to enumerate objects, list records, or abuse overlooked functionality. Mandiant’s research highlights several techniques that can be abused when access controls are weak.

These include using Aura methods to retrieve large record sets, leveraging sorting and pagination to bypass the usual 2,000-record limit, bulk “boxcar” actions to query multiple objects in a single request, and discovery of Record List views and “home” URLs that may expose administrative interfaces or sensitive data views.

The team also documents how Aura controllers can surface self-registration status and URLs, which may enable attackers to obtain authenticated accounts if self-registration is misconfigured.

A key finding is the use of a GraphQL Aura controller to retrieve all records tied to misconfigured objects, with better pagination and introspection than traditional Aura methods.

While Salesforce confirms this is not a vulnerability when permissions are correctly configured, it significantly increases the impact of any existing misconfiguration.

AuraInspector automates these manual techniques. It discovers Aura endpoints, enumerates home and record list URLs, checks self-registration status, and audits object exposure, while limiting itself to read-only operations.

By running the tool against their Experience Cloud instances, Salesforce administrators can more easily uncover overly permissive guest or authenticated access.

Google observed during testing, the results help teams identify where sharing rules, guest user permissions, or self-registration settings are too broad, enabling faster remediation by tightening access controls before they can be abused.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post AuraInspector: An Open-Source Tool for Auditing Salesforce Aura Misconfigurations appeared first on Cyber Security News.